Listen to this Post
The vulnerability resides in the `libceph` subsystem of the Linux kernel, specifically within the OSD (Object Storage Daemon) client’s handling of sparse-read operations. When a network fault occurs, the connection is abandoned and later re-established, with pending operations retried. The OSD client manages the progress of a sparse-read reply using a separate state machine that operates independently of the main messenger state. If a connection fails mid-payload or if the sparse-read state machine returns an error, this internal sparse-read state is not reset. Upon reconnection, the client mistakenly interprets the beginning of a new, legitimate reply as a continuation of the previously failed, partial operation. This causes a mismatch between expected and actual data lengths (e.g., “data len 142248331 != extent len 0”), leading to persistent socket errors and infinite recovery loops. The fix correctly resets the sparse-read state within the `osd_fault()` function, ensuring that all retried operations start from a clean state .
dailycve form:
Platform: Linux Kernel
Version: 6.6 to 6.6.120, 6.12 to 6.12.65, 6.18 to 6.18.5
Vulnerability : State Management Flaw
Severity: High (CVSS 3.1 7.1)
date: February 14, 2026
Prediction: Patched February 18, 2026
What Undercode Say:
Analytics:
The vulnerability is triggered by network instability during Ceph sparse-read operations, causing a desynchronization in the client’s state machine. This leads to a permanent denial-of-service condition as the client enters an unrecoverable error loop . The issue was introduced in kernel version 6.6 and affects all subsequent versions until the specific fix commits were backported to stable branches . Security vendors have assigned varying severity scores, with a general consensus on High importance due to the availability impact .
Exploit:
Successful exploitation requires the ability to induce a connection fault on an OSD link while a sparse-read operation is in progress. An attacker with network access between the kernel client and Ceph OSD could theoretically inject packets or manipulate network routing to terminate the TCP connection at a precise moment. This causes the kernel’s `libceph` to attempt a retry, but due to the unreset state, it will continuously fail, rendering the Ceph mountpoint or storage inaccessible. The following kernel log pattern indicates the exploit’s success condition :
Characteristic error loop in dmesg libceph: [bash] got 0 extents libceph: data len 142248331 != extent len 0 libceph: osd0 (1)...:6801 socket error on read
Protection from this CVE
Immediate mitigation requires updating the Linux kernel to a patched version. The fix is included in kernel versions 6.6.121, 6.12.66, 6.18.6, and 6.19 onward . System administrators can verify their current kernel version and check for the error pattern using :
Check current kernel version uname -r Check logs for the vulnerability signature dmesg | grep -E "data len . != extent len|libceph.socket error" Example of patching a system (Ubuntu/Debian) sudo apt-get update && sudo apt-get install linux-image-generic sudo reboot
Impact
A successful exploit leads to a complete denial of service for the Ceph filesystem or block device on the affected client. The kernel enters an infinite loop of read errors and socket faults, preventing any I/O operations to the Ceph cluster. This can cause system instability, application hangs, and potential data unavailability for services relying on Ceph storage, without requiring root privileges from the attacker .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

